Built off the open source project Osquery
Description: This query looks for the 'ExecutionPolicy' registry key under HKEY_USERS hive to provide information on Powershell script execution policy on the local users context.
What The Data Shows: The value provided is the value native to Powershell which determines Powershell scripts execution policy, as per described in Microsoft's documentation[1]. This can be useful for IT hygiene as well as for keeping systems secure by later changing the values if deemed necessary.
SQL:
SELECT data, 'user' AS 'scope',
(SELECT data
FROM registry AS r2
WHERE r2.key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\' || split(r1.key,'\',1)) AS user,
datetime(r1.mtime,'unixepoch','localtime') AS mtime
FROM registry AS r1
WHERE key LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell'
AND name = 'ExecutionPolicy';